Skip to main content

Google Chrome EUVDEUVD-2026-42458

| CVE-2026-15130 MEDIUM
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-07-08 chrome-cve-admin@google.com GHSA-wvr7-3cpq-c6mg
4.3
CVSS 3.1 · Vendor: google
Share

Severity by source

Vendor (google) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network delivery via crafted page (AV:N), no privileges needed (PR:N), user must visit page (UI:R), limited cross-origin read only (C:L), no write or availability impact confirmed.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google).

CVSS VectorVendor: google

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 09, 2026 - 12:17 vuln.today
CVSS changed
Jul 09, 2026 - 11:22 NVD
4.3 (MEDIUM)
CVE Published
Jul 08, 2026 - 23:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 08, 2026 - 23:16 cve.org
MEDIUM 4.3

DescriptionCVE.org

Insufficient policy enforcement in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

AnalysisAI

Insufficient navigation policy enforcement in Google Chrome prior to 150.0.7871.115 enables site isolation bypass when a user visits a crafted HTML page. A remote, unauthenticated attacker (per CVSS PR:N) can exploit this to read limited cross-origin data, undermining Chrome's core renderer process separation architecture. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious HTML page exploiting navigation flaw
Delivery
Victim lured to page via phishing or malicious ad
Exploit
Crafted navigation sequence submitted to Chrome renderer
Execution
Navigation policy enforcement check bypassed
Persist
Site isolation boundary crossed
Impact
Limited cross-origin data read by attacker-controlled page

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running Google Chrome prior to 150.0.7871.115 on a desktop platform and to actively visit an attacker-controlled HTML page - user interaction (UI:R) is mandatory, meaning passive drive-by exploitation without any user navigation action is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N reflects a realistic but constrained threat: network-reachable, low-complexity exploitation requiring only that the victim visit a malicious page, but limited to low confidentiality impact with no integrity or availability consequence and unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a crafted HTML page containing navigation sequences designed to exploit the policy enforcement gap in Chrome's Navigation component. The victim is directed to this page via a phishing email, malicious advertisement, or compromised website. …
Remediation Update Google Chrome to version 150.0.7871.115 or later immediately via Settings > Help > About Google Chrome or through the vendor's stable channel release documented at https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy